This is the second in a series
of four or five posts on the need to rewrite CIP-002-5.1. You can find the
first post here.
II. The Primary Problem with
CIP-002-5.1
CIP-002-5.1 R1 and Attachment 1 are confusing and contradictory. However,
this hasn’t stopped NERC entities, Regional auditors and even NERC staff
members from coming to a pretty good consensus on what it means. And this is a
good thing – otherwise, the effort to implement CIP v5 would be at a standstill.
However, the fundamental problem with CIP-002-5.1 R1 is that this
consensus is completely at variance with the words in the standard. It is
literally true that an entity can’t comply with the standard – in the way that
virtually all parties agree it should be done – without violating the wording. And
if an entity were to try to follow the literal wording of the standard, they
could never come into compliance – the wording is vague and contradictory, and omits
many required steps. There is simply no way the compliance process could be
flowcharted, even if the chart were the size of Yankee Stadium. This makes this
standard completely unenforceable, and is the primary reason that I say it has
to be rewritten before CIP v5 (and v6, and probably later versions) can be enforceable.
Here is the way most NERC entities I have talked to, as well as most
auditors and others who have given presentations at Regional Entity meetings,
understand the compliance process for CIP-002-5.1 R1.[i]
- Using the list of
six asset types in R1, identify all assets owned by the entity (or
operated by them) that correspond to one of those types.
- For each of these
assets, identify those that are High or Medium impact.
- At each of the
High or Medium impact assets, identify BES Cyber Assets using the
definition, then aggregate these into BES Cyber Systems (the process - or really processes - that gets you from BCA to BCS is of course not described in the standard, but there has been some guidance published on this, including by me. My guess is auditors aren't going to worry about that too much, as long as the entity can show that every BCA is included in one or more BCS).
- Classify High and
Medium impact BCS. Except in the case of large generating stations that
fall under Criterion 2.1, all BCS located at a High asset will be High;
all BCS located at a Medium asset will be Medium.
- List assets not classified as High or
Medium as Low impact (specifically, “containing a Low BCS”).
This is a nice, simple methodology. It corresponds very closely to the
CIP v1-v3 methodology, if you substitute Critical Asset for High or Medium
impact asset and Critical Cyber Asset for BES Cyber Asset and BES Cyber System.
In fact, I know some entities are even using the definition of Critical Cyber
Asset (a Cyber Asset “essential to the operation of” a Critical Asset) as a
guide to identifying BCAs. Given that there is little guidance on how to
interpret the words at the core of the BCA definition - “affect the reliable
operation of the BES” – this isn’t such a terrible way to do it.
However, there is one big problem with the above methodology: it doesn’t
correspond at all with the greater part of the wording of CIP-002-5.1 R1 and
Attachment 1. What does the wording
actually say? Aye, there’s the rub – it’s literally impossible to give a clear account
of what R1 says, other than to say that it in no way corresponds with the
popular methodology described above. There are three main problems with it.
First, the wording is far too compressed. CIP-002-3 had three
requirements leading up to identification of CCAs; CIP-002-5.1 has one, yet it
actually encompasses (explicitly or implicitly) many more steps than the three
v3 requirements did (in fact, R1 implicitly contains all 15 of the steps listed
below, plus many others as well). When you’re writing regulatory standards,
brevity isn’t a virtue – clarity is. Save the brevity for when you’re writing haiku poetry.
Second, some key steps are left entirely implicit; it us up to the entity
to figure them out, usually by having to go to a definition. For example, one
of the most important steps in the v5 asset identification process – the
identification of BES Cyber Systems at Medium and High assets - is nowhere to
be found in R1 (the word “Identify” is used in R1.1-1.3, but those requirement
parts are actually telling the entity to classify
BCS, rather than to identify them in the first place). The entity has to piece
together their own idea of how to identify BCS by looking at the definitions of
Cyber Asset, BCA and BCS; this leads to what I call the “bottom-up” approach to
BCS identification.
But there’s another approach to BCS identification, outlined in the
Guidance and Technical Basis. This one is based on the BROS, and is what I call
“top-down”. There is no acknowledgement in R1 that there even are two
approaches; yet since the BROS aren’t in the requirement at all but the three
definitions are, by implication this means “bottom-up” is really the “required”
approach. If so, why are the BROS talked about at all in the Guidance? No word
on that, although I’ll give my theory on this in the next post in this series.
But I believe both approaches have their uses. Bottom-up is better for
substations and Criteria 2.3 or 2.6 generating stations; top-down is better for
control centers and Criterion 2.1 generating stations. You can read more about
these two approaches in this
post.
The third problem with R1 and Attachment 1 is that, even if you have an
idea what the steps are that need to be taken to comply with R1, the order in
which they need to be taken is not apparent from reading the requirement. You
just need to piece them together logically.
Fortunately, I have pieced these “implied” steps together as best I can.
I’m now ready to show you the primary steps that I believe are required for
compliance with R1.[ii] When
I get done, see if you can even remember half of them, let alone repeat them in
logical order (as you read the steps below, you’ll realize that many of them
actually contain a number of sub-steps).
- Develop a list of
BES assets that meet one of the six asset types listed in R1.
- Decide whether,
for substations, your entity will classify BCS based on the “rating” of
the substation or that of the Facility (the line, transformer, bus, etc.)
with which the BCS is associated.[iii]
An entity that takes the second option will be able to classify some BCS
at “Medium” impact substations as Low impact, not Medium. As far as I can
see, most entities are taking the former option, not the latter. In almost
all cases, this is because the entity doesn’t understand that there are
two ways to do this (since no Regional Entity I know of has been promoting
the idea that entities have these two options). In the few cases I know of
where the entity understands the options and has deliberately chosen the
first one, it is because they think it will complicate the asset
identification process too much to implement the second option.[iv]
I disagree with this assertion in general, but I do agree that there are organizational
reasons why the second option might not work for many NERC entities. In any
case, the entities should be told they have both options, and this isn’t
being done at all now. It’s too bad, since it can potentially save an
entity a lot of time and money required to implement v5 compliance.
- If the entity has
decided to take the second option above, then it still needs to identify
“Medium” substations (although a better description would be “substations
containing one or more Medium impact Facilities”). At these substations,
it then identifies the Medium Facilities, leaving other BES Facilities at
the substation to be Low impact.[v]
- If the entity has
decided to base their R1 process on assets, not Facilities (i.e. the first
option in step 2), they must use the asset list from step 1 to identify
High and Medium impact assets by running through the bright-line criteria
(since criteria 2.4-2.8 refer to Facilities, this means not paying
attention to that word and substituting the word “Substation”. Similar
tricks have to be played with some of the other criteria, including 2.3,
2.9 and 2.10. Are you writing all of this down?).
- If the entity has
decided to take advantage of the word “Facilities” in Criteria 2.4 to 2.8
(i.e. they’re using option 2 in the second step above), they need to
identify the Facilities at each Transmission substation that meet one or
more of these criteria. For example, a 500kV line will always become a
Medium impact Facility under Criterion 2.4, and the substation it’s located
at will be called a “Medium” substation; but a 345kV line located at the
same substation will be Low impact.[vi]
- Once all assets
and/or Facilities that are High or Medium impact have been identified,
then BES Cyber Systems must be identified. This identification step, which
is nowhere stated in R1 or Attachment 1[vii],
is probably the most important in the R1 process. Since no BCS
identification process is stated in the requirement, the entity is left to
piece together whatever procedure it can, based on the definitions of
Cyber Asset, BES Cyber Asset and BES Cyber System (which I call the
“bottom-up” procedure). However, a different process is described in the
Guidance and Technical Basis section, where the concept of BES Reliability
Operating Service is introduced and used as the basis for identifying BCS
(I call this the “top-down” procedure). For a description of these two
procedures and when I believe each one is applicable, see this
post.
- There is an
important difference between High and Medium impact BCS that must be
“overlaid” on the above procedures for identifying BCS. This is due to the
fact that, in Attachment 1, High BCS are defined as those “used by and
located at” High assets (which are all Control Centers, of course), while
low BCS are defined as those “associated with” Medium assets or
Facilities. This means that High BCS will always be located at the Control
Center that meets the High criterion, whereas Medium BCS don’t necessarily
have to be located at a Medium asset.
- Since BCS
associated with Medium assets or Facilities don’t have to be located at
the same asset, this in theory means they could be located anywhere. The
one restriction is that the BCS must always be located at one of the six
asset types in R1. So if an AGC system (that meets the definition of
BCS/BCA – 15 minute impact, etc.) associated with a Medium generating
station is located in another plant or in a Transmission substation, it
will itself be a Medium BCS. If it’s located in somebody’s basement, it’s
not a Medium BCS.
- The interesting
question is how the entity will identify associated BCS that aren’t
located at the Medium asset. And the answer to that is they will simply
have to know they’re there. However, this
is not how R1 reads. Taken literally, R1 implies that the entity has
to scour every asset it has that
corresponds to one of the six types, to identify BCS. Of course, High BCS
will always be at a High Control Center, so the entity only needs to look
at those Control Centers to find High BCS. But Medium BCS don’t have to be
at a Medium asset, so every High, Medium and Low asset needs to be gone
over with a fine-toothed comb to identify any BCS that are associated with
any one of the Medium assets or
Facilities (not just the one they’re located at). Of course, this requires
conducting an inventory of every
cyber asset at all Low assets, determining which of these are Cyber
Assets, then determining which Cyber Assets are BES Cyber Assets (and
finally grouping these into BCS). Of course, none of the regions are
interpreting R1 this way, so you don’t have to worry about having to
actually do this[viii].
But it’s just another example of the wording of R1 not corresponding to
how people are actually going to comply with it – and the result is that
the only way to sensibly comply with R1 is to disregard most of its
wording.
- The next step in
the R1 compliance process – as it is written or implied by the actual
wording – is to classify the BCS
that have just been identified, that are “used by and located at” High
impact Control Centers and “associated with” Medium impact assets. This is
pretty easy, of course, as long as you watch these words carefully. Every
BCS located at a High Control Center will itself be High, unless it is
associated with a Medium or Low impact asset or Facility and is not also
used by the Control Center itself – in which case it will be Medium or Low.
And every BCS associated with a Medium Facility and/or asset will be
Medium, except for BCS in a Criterion 2.1 generating plant, which will be
Low if they impact less than 1500MW (aren’t you having fun so far?).
- The above step
needs to be modified in the case that the entity is using the second
option in step 2 and classifying BCS in substations according to the
Facility they’re associated with. As described in step 5, some Facilities
(lines, etc) will be Medium, some Low. The BCS (which will more often than
not be relays) associated with Medium lines will be Mediums, and those
associated with Low lines will be Lows.
- The last major
step in the CIP-002-5.1 R1 compliance process is to identify Low impact
assets. Since every asset that corresponds to one of the six asset types
in R1 will have to be High, Medium or Low impact, all you have to do is
subtract the Highs and Mediums from this list in order to identify the
Lows – right? Again, this is how just about all entities will do it, but
once again this requires violating the wording of the requirement (and
Attachment 1). R1.3 says the entity has to identify “each asset that
contains a low impact BES Cyber System according to Attachment 1, Section
3...” So now you go to Attachment 1, Section 3, and what do you find? It
says you’re supposed to identify “BES Cyber Systems not included in
Sections 1 or 2 above that are associated with any of the following assets...” What’s going on here? R1.3 says you’re
supposed to be identifying assets that “contain Low BCS”, yet Section 3
says you’re supposed to be identifying Low BCS themselves – even though
R1.3 says explicitly that no list of Low impact BCS is required!
Fortunately, all entities assume that what R1.3 is really saying is what I
just showed above: you just have to take High and Medium assets out of
your total asset list, to come up with Low assets. But this is another
glaring instance of the fact that the only way effectively to comply with
R1 is to violate its literal wording.
- In the “Thank God
for small favors” department, there is one advantage to the fact that Low
assets are referred to as “assets containing Low BCS”: If you can
demonstrate that an asset on your initial Low list actually doesn’t
contain any BCS, then it falls off the charts and you don’t have to apply
even the Low impact requirements to it. For an asset that contains no
cyber assets at all, this is very easy – it obviously can’t contain a Low
BCS. For other assets that do contain cyber assets, if you want to take
the time to show that none of these cyber assets meet the definition of
BCA (i.e., no 15-minute impact on the grid if misused), then you should be
able to remove these assets as Lows as well. I call these assets “No
impact”.
- In putting
together your Low asset list, you also need to keep in mind that any
Medium or High impact assets that contain Low BCS need to be on the Low
list as well. One example of this is a Criterion 2.1 plant that has some
BCS that don’t affect 1500MW; these will be Low BCS, so the plant is both
Medium and Low impact. Another example is a Medium substation that contains
a BCS that is part of an SPS that doesn’t rise to the level of being
included in Criterion 2.9, so the SPS is Low impact. This substation will
also be Medium and Low. A third example: For an entity that is classifying
BCS in substations based on the Facility they’re associated with,
substations that contain both Medium and Low Facilities and associated BCS
(for example, a Criterion 2.4 substation that contains both a 500+kV line
and a 345kV line) will themselves be Medium and Low impact.
- Finally, if your
entity has a Distribution Provider registration and owns one or more of
the asset types listed in Section 4.2.1, these must be listed as Lows.
As complicated as the above list is, it in no way encompasses all of the steps
required to comply with CIP-002-5.1 R1. For example, every entity needs to
develop a “definition” for “Programmable”, as well as for the words “affect the
BES” in the BCA definition. Every entity with substations that contain
Transmission and Distribution Facilities needs to develop a methodology for
distinguishing the two, as well as their associated cyber assets. Etc, etc. And
then there are a huge number of questions on application of specific
bright-line criteria; in fact, I don’t think you could ever write them all
down, no matter how long you spent at it.
As I said in footnote ii below, I gave up a while ago on trying to write
down a complete list of steps for complying with CIP-002-5.1 R1. It simply
can’t be done, given the current wording of the standard. This is why literally
nobody is actually following the words of R1 and Attachment 1 in their
compliance process. It is simply impossible to do so.
Now compare the above 15+ steps to the five steps shown earlier in the
post – that is, the list of steps that entities are actually following as they
comply with CIP v5. Is there any wonder that entities are following this
methodology, even though it doesn’t at all follow the actual wording of the
requirement? There is simply no way
an entity could comply with the actual wording of CIP-002-5.1, no matter how
many years they spent trying to understand it.
In the next
post, I will discuss how I believe this mess came to pass.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
Even NERC follows this model. NERC hasn’t itself put out any guidance on the R1
compliance process. However, their February filing
with FERC on the results of the BES Cyber Asset Survey, which was based on an
implicit idea of R1 compliance, basically follows this model.
[ii]
I originally thought it would be possible to put together a list of all the steps
– actual and implied – required for R1 compliance. My last two major attempts
at this were both in 2014: here
and here.
I now realize there can be no definitive methodology, period. You could spend
the rest of your life trying to document the compliance process for R1, and you’d
die before you finished.
[iii]
For those who may be new readers of these posts, I have been pointing out for
quite a while that the substation criteria, 2.4 to 2.8, don’t actually apply to
substations at all, but to the Facilities at those substations. Facilities is a NERC-defined term and means a
line, a bus, a transformer, etc. This means that some of the BCS in a
substation subject to one of these criteria might be Low impact, not Medium.
I’ve discussed this in a number of posts, but this
post was dedicated to the issue.
[iv]
Another reason is that many entities aren’t sure about what is networked to
what in their substations. So even though they might be able to classify some
BCS as Low, they’re concerned that it wouldn’t make a difference since they
couldn’t show the Low BCS weren’t networked to the Medium BCS (which would make
the Low BCS into Medium PCAs, thus subjecting them to most of the requirements
of Medium BCS). I can’t argue with this idea, since they know their
substations; I don’t.
[v]
Of course, any purely Distribution facilities – that is, lines and other
facilities that don’t meet the BES definition in the first place – will not be
in scope for v5, regardless of which option the entity chooses. However, in
substations that mix Transmission and Distribution facilities (e.g., a
substation containing 69kV as well as 115kV lines), the people doing the
inventory need clear guidance on how to separate the two types; writing this
down isn’t as easy as it might seem. See this
post for further discussion of this point.
[vi]
Criterion 2.5 is confusing because – even though its subject is the word
“Facilities” – it does actually appear to be providing a criterion for
classifying the substation itself; this is the famous 3,000-point table.
However, what 2.5 actually does is a) Provide a criterion for Facilities to be
Medium impact (those Facilities “operating between 200 kV and 499 kV at a
single station or substation”), but then b) classify those Facilities as Medium
only in the case that the substation itself has three connections and meets the
3,000-point threshold. Of course, if step b weren’t there, then every line,
transformer, etc. between 200 and 499kV would be Medium impact – no matter
where it was located; the SDT clearly didn’t want this to happen.
[vii]
R1.1 – R1.3 use the term “Identify” in sending the user to Attachment 1, but
this really needs to be understood as “Classify”, since the purpose at this
point is to determine which BCS are Medium or High impact. It is assumed the
entity has already identified BCS at High and Medium assets, even though that
step isn’t called for anywhere in R1 or Attachment 1. This is a good example
where an excessive concern with brevity has made R1 impossible to comply with
as written.
[viii]
The “far-end relay” question is of course related to this. Many people became
quite upset when they came to believe that such a relay, on a 200-499kV line
that terminated in a Criterion 2.5 substation, would itself be Medium impact,
even if it were at a Low substation. However, NERC’s Lesson Learned on this
issue last September – which echoed what an Interested Party had pointed out to
me the previous June, as shown in this
post – pointed out that the particular wording of Criterion 2.5 (which wording
is also in 2.6) specifically prevents this from happening. Unfortunately, this
hasn’t prevented a number of people – including one or more NERC staff members
very involved in the CIP v5 effort – from mistakenly saying that there is now a
new principle that “Location does matter” – and this means that Medium BCS have
to be located at the asset they’re associated with, just as Highs do. That is
definitely not the case (although I wouldn’t object if NERC wanted to put out a
further LL saying this was actually a new principle and therefore legitimate –
I’ve heard it has been promulgated in one or more of the SGAS).
No comments:
Post a Comment